Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for access control which is performed by a hardware processor, and the method comprises: a group of tasks are executed, controlling an access of a subject to an object according to operation permission corresponding to each of the tasks in the group of tasks; wherein before the group of tasks are executed, the method further comprises: obtaining the operation permission corresponding to each of the tasks in the group of tasks according to a preset correspondence relationship between each of the tasks in the group of tasks and the operation permission; wherein obtaining the operation permission corresponding to each of the tasks in the group of tasks according to the preset correspondence relationship between each of the tasks in the group of tasks and the operation permission comprises: obtaining a role corresponding to the subject executing each of the tasks according to a preset correspondence relationship between the subject and the role; obtaining a first operation permission corresponding to the role according to a preset correspondence relationship between the role and the operation permission; and taking an intersection of a second operation permission corresponding to the task in the preset correspondence relationship between each of the tasks in the group of tasks and the operation permission, and the first operation permission corresponding to the obtained role corresponding to the subject executing the task as the operation permission for each of the tasks.
2. The method as claimed in claim 1 , wherein before obtaining the operation permission corresponding to each of the tasks in the group of tasks according to the preset correspondence relationship between each of the tasks in the group of tasks and the operation permission, the method further comprises: receiving a request for a workflow initiated by the subject; and obtaining the group of tasks for each process completing the workflow.
This invention relates to workflow management systems, specifically addressing the challenge of dynamically assigning operation permissions to tasks within a workflow based on predefined relationships. The system ensures that subjects (e.g., users or automated processes) are granted appropriate permissions to execute tasks as part of a larger workflow, enhancing security and operational efficiency. The method involves receiving a request from a subject to initiate a workflow, which triggers the retrieval of a predefined group of tasks required to complete the workflow. Before assigning operation permissions to these tasks, the system establishes a correspondence between each task and the necessary permissions. This ensures that only authorized subjects can perform specific tasks, reducing unauthorized access risks. The permissions are then obtained and applied to each task in the group, enabling the workflow to proceed securely. The invention improves upon existing workflow systems by dynamically linking tasks to permissions, rather than relying on static role-based access controls. This approach allows for more granular and context-aware permission management, adapting to the specific requirements of each workflow. The system is particularly useful in environments where workflows involve multiple steps with varying security requirements, such as enterprise software, automation pipelines, or collaborative platforms.
3. The method as claimed in claim 2 , wherein obtaining the group of tasks for each process completing the workflow comprises: initializing the workflow to generate a workflow instance, and dividing the workflow instance into the group of tasks.
This invention relates to workflow management systems, specifically improving task allocation and execution in automated workflows. The problem addressed is the inefficient division and assignment of tasks within a workflow, leading to bottlenecks, delays, or suboptimal resource utilization. The solution involves dynamically generating and distributing tasks from a workflow instance to ensure smooth execution. The method begins by initializing a workflow to create a workflow instance, which represents a specific execution of the workflow. This instance is then divided into a group of tasks, where each task is a discrete unit of work. The division is based on predefined rules or logic that ensures tasks are logically grouped and assigned to appropriate processes or systems for completion. The tasks may be further refined or adjusted based on real-time conditions, such as resource availability or priority. The invention ensures that workflows are broken down into manageable, executable tasks, improving efficiency and adaptability. By dynamically generating and distributing tasks, the system can handle complex workflows with multiple dependencies while maintaining optimal performance. This approach is particularly useful in automated systems where workflows must be executed without manual intervention.
4. The method as claimed in claim 3 , wherein dividing the workflow instance into the group of tasks comprises: assigning the group of tasks that need to be executed according to different application programming interfaces called in the workflow instance.
This invention relates to workflow management systems, specifically improving task execution in workflow instances by intelligently dividing tasks based on their required application programming interfaces (APIs). The problem addressed is the inefficiency in executing workflows where tasks rely on different APIs, leading to delays, resource contention, or suboptimal performance due to improper task grouping. The method involves analyzing a workflow instance to identify tasks that must be executed through distinct APIs. These tasks are then grouped together based on their API requirements, ensuring that tasks calling the same API are processed together. This grouping optimizes resource allocation, reduces overhead from switching between APIs, and improves overall workflow execution efficiency. The system may also prioritize or sequence these groups to further enhance performance, particularly in environments where API access is limited or costly. By dynamically organizing tasks according to their API dependencies, the invention ensures that workflows are executed in a manner that minimizes conflicts and maximizes throughput. This approach is particularly useful in distributed systems, cloud computing, or microservices architectures where multiple APIs are involved in a single workflow. The method can be applied to various workflow management systems, including those used in automation, data processing, or business process management.
5. The method as claimed in claim 1 , wherein controlling the access of the subject to the object according to the operation permission corresponding to each of the tasks comprises: determining whether the subject is allowed to access to the object according to the operation permission corresponding to a current task in a process of executing each of the tasks; and executing the access to the object in a case of allowing the subject to access to the object.
This invention relates to access control systems for managing subject-object interactions in a computing environment. The problem addressed is the need for fine-grained, task-specific access control to ensure subjects (e.g., users or processes) can only perform operations on objects (e.g., files, databases) that are permitted for their current task within a multi-task workflow. The system determines access permissions dynamically based on the subject's current task in a sequence of tasks. When a subject initiates an operation on an object, the system checks whether the subject is authorized for that operation by referencing the operation permission associated with the current task. If the permission allows access, the operation proceeds; otherwise, it is denied. This approach ensures that subjects only perform actions that are explicitly permitted for their current task, enhancing security and compliance in environments where tasks have distinct access requirements. The method applies to scenarios where tasks are part of a structured process, such as workflow automation, role-based access control (RBAC), or task-based authorization systems. By tying permissions to specific tasks rather than static roles or broad privileges, the system reduces the risk of unauthorized access while maintaining flexibility in dynamic workflows. The solution is particularly useful in environments where subjects may perform multiple tasks with varying access needs, such as enterprise applications, cloud services, or multi-tenant systems.
6. The method as claimed in claim 5 , wherein after executing the access to the object, the method further comprises: revoking the operation permission corresponding to each of the tasks in the group of tasks and ending each of the tasks in the group of tasks.
This invention relates to a method for managing access permissions and task execution in a computing system, particularly in scenarios where secure and controlled access to objects is required. The problem addressed is ensuring that after an object is accessed, any remaining tasks that were granted permission to operate on that object are properly terminated and their permissions revoked to prevent unauthorized or residual access. The method involves a group of tasks that have been granted operation permissions to access a specific object. After the access to the object is executed, the method proceeds to revoke the operation permissions corresponding to each task in the group. Additionally, each task in the group is terminated to ensure no further operations can be performed on the object. This ensures that once the access is complete, no lingering permissions or tasks remain that could compromise security or system integrity. The method is particularly useful in environments where strict access control and task management are necessary, such as in secure computing systems, multi-user environments, or applications requiring high levels of data protection. By automatically revoking permissions and terminating tasks, the method minimizes the risk of unauthorized access or residual operations that could lead to security vulnerabilities.
7. The method as claimed in claim 6 , wherein revoking the operation permission corresponding to each of the tasks in the group of tasks comprises: determining a life cycle of the role according to a level of the role corresponding to the subject executing each of the tasks in the group of tasks; and revoking the operation permission corresponding to each of the tasks in the group of tasks when the life cycle expires.
This invention relates to role-based access control systems, specifically methods for managing operation permissions in a computing environment. The problem addressed is the need to automatically revoke permissions for tasks associated with a role when the role's life cycle expires, ensuring security and compliance in dynamic environments. The method involves a system where tasks are grouped based on their association with a role assigned to a subject (e.g., a user or process). The system determines the life cycle of the role based on its hierarchical level—higher-level roles may have longer life cycles, while lower-level roles may expire sooner. When the role's life cycle expires, the system revokes the operation permissions for all tasks linked to that role, preventing unauthorized access. This approach ensures that permissions are dynamically adjusted based on role validity, reducing administrative overhead and enhancing security by automatically enforcing permission expiration. The method is particularly useful in environments where roles are temporary or time-sensitive, such as cloud computing, enterprise systems, or multi-tenant applications. By tying permission revocation to role life cycles, the system minimizes the risk of stale or excessive permissions, improving overall system integrity.
8. A device for access control, wherein the device comprises a hardware processor configured to execute program components stored on a memory, and the program components comprise: a control component arranged to, a group of tasks are executed, control an access of a subject to an object according to operation permission corresponding to each of the tasks in the group of tasks; wherein the device further comprises: a first obtaining component arranged to obtain the operation permission corresponding to each of the tasks in the group of tasks according to a preset correspondence relationship between each of the tasks in the group of tasks and the operation permission; wherein the first obtaining component comprises: a first obtaining element arranged to obtain a role corresponding to the subject executing each of the tasks according to a preset correspondence relationship between the subject and the role; a second obtaining element arranged to obtain a first operation permission corresponding to the role according to a preset correspondence relationship between the role and the operation permission; and a calculating component arranged to take an intersection of a second operation permission corresponding to the task in the preset correspondence relationship between each of the tasks in the group of tasks and the operation permission and the first operation permission corresponding to the obtained role corresponding to the subject executing the task as the operation permission for each of the tasks.
A device for access control, powered by a hardware processor executing program components from memory, includes a control component that manages user (subject) access to resources (objects) by executing a group of tasks according to specific permissions for each task. Before task execution, a permission obtaining component determines these task-specific permissions. This component first identifies the subject's role from a predefined user-role mapping. It then retrieves initial permissions associated with that role from a role-permission mapping. Concurrently, it identifies baseline permissions for each task from a task-permission mapping. The final operation permission for each task is then calculated by taking the intersection of the role's initial permissions and the task's baseline permissions.
9. The device as claimed in claim 8 , wherein the device further comprises: a receiving component arranged to receive a request for workflow initiated by the subject; and a second obtaining component arranged to obtain the group of tasks for each process completing the workflow.
This invention relates to a system for managing workflows involving multiple processes and tasks. The system addresses the challenge of coordinating complex workflows where multiple processes must be completed in a specific sequence or in parallel, often requiring input from different users or systems. The invention provides a structured approach to defining, tracking, and executing these workflows efficiently. The device includes a first obtaining component that retrieves a set of processes required to complete a workflow. Each process within the workflow is associated with a group of tasks that must be performed. A second obtaining component then retrieves the specific tasks for each process, ensuring that all necessary steps are identified and organized. Additionally, a receiving component captures requests initiated by a subject, such as a user or system, to start the workflow. This allows the system to dynamically respond to user actions and trigger the appropriate processes and tasks. The system ensures that workflows are executed in a controlled manner, with clear definitions of processes and tasks, and supports real-time initiation and tracking of workflow progress. This improves efficiency and reduces errors in complex workflow environments.
10. The device as claimed in claim 8 , wherein the control component comprises: a determining element arranged to determine whether the subject is allowed to access to the object according to the operation permission corresponding to a current task in a process of executing each of the tasks; and an executing element arranged to execute the access to the object in a case of allowing the subject to access to the object.
This invention relates to a security control device for managing access to objects within a system, addressing the problem of unauthorized access during task execution. The device includes a control component that regulates access based on predefined operation permissions tied to specific tasks. The control component has a determining element that evaluates whether a subject (e.g., a user or process) is permitted to access an object (e.g., a file, resource, or system component) by checking the operation permission associated with the current task being executed. If access is allowed, an executing element proceeds to grant the access. The device ensures that access permissions are dynamically enforced during task execution, preventing unauthorized operations. The control component may also include a monitoring element to track task progress and a permission management element to update or verify permissions. The invention improves security by restricting access to only what is necessary for the current task, reducing the risk of unauthorized data breaches or system manipulations. The system is particularly useful in environments where multiple users or processes interact with shared resources, such as enterprise networks or cloud computing platforms.
11. The device as claimed in claim 8 , wherein the device further comprises: a revoking component arranged to revoke the operation permission corresponding to each of the tasks in the group of tasks and end each of the tasks in the group of tasks after executing the access to the object.
This invention relates to a system for managing task execution and access permissions in a computing environment. The problem addressed is ensuring secure and controlled access to shared objects while preventing unauthorized or prolonged task operations. The system includes a device that monitors and manages a group of tasks, each with an associated operation permission for accessing a shared object. The device tracks the execution of these tasks and ensures that access to the object is granted only when necessary. After the access is completed, the device revokes the operation permissions for all tasks in the group and terminates each task to prevent further unauthorized operations. This mechanism ensures that tasks do not retain access permissions beyond their intended use, enhancing security and resource management. The revoking component is a key feature that enforces strict access control by terminating tasks and revoking permissions immediately after the object access is completed, thereby minimizing the risk of unauthorized access or resource misuse. The system is particularly useful in environments where multiple tasks require temporary access to shared resources, such as databases, files, or hardware components, while maintaining strict security protocols.
12. A non-transitory computer storage medium, in which a computer program code is stored and the computer program code is performed by a processor, wherein the program code is arranged to execute the following method: executing a group of tasks, and controlling an access of a subject to an object according to operation permission corresponding to each of the tasks in the group of tasks; wherein before the group of tasks are executed, the method further comprises: obtaining the operation permission corresponding to each of the tasks in the group of tasks according to a preset correspondence relationship between each of the tasks in the group of tasks and the operation permission; wherein obtaining the operation permission corresponding to each of the tasks in the group of tasks according to the preset correspondence relationship between each of the tasks in the group of tasks and the operation permission comprises: obtaining a role corresponding to the subject executing each of the tasks according to a preset correspondence relationship between the subject and the role; obtaining a first operation permission corresponding to the role according to a preset correspondence relationship between the role and the operation permission; and taking an intersection of a second operation permission corresponding to the task in the preset correspondence relationship between each of the tasks in the group of tasks and the operation permission, and the first operation permission corresponding to the obtained role corresponding to the subject executing the task as the operation permission for each of the tasks.
This invention relates to a computer-implemented access control system that manages permissions for executing tasks based on roles and predefined relationships. The system operates by executing a group of tasks while controlling access to objects according to operation permissions assigned to each task. Before execution, the system determines the operation permission for each task by referencing a preset correspondence between tasks and permissions. This involves identifying the role of the subject (e.g., user or process) executing the task, retrieving the operation permissions associated with that role, and then intersecting those permissions with the permissions specifically assigned to the task. The resulting intersection defines the final operation permission for the task, ensuring that access to objects is granted only if both the role and task permissions allow it. This approach enhances security by dynamically enforcing fine-grained access control based on both the subject's role and the specific task being performed. The system is implemented via a computer program stored on a non-transitory storage medium and executed by a processor.
Unknown
July 14, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.